Wireless Sniffer on Ubuntu Linux – Capture / Analyze Network Traffic

Jotting down an easy recipe to get a 802.11 sniffer working on Ubuntu Linux. To be able to capture 802.11 packets, the first step is to figure out how to configure your wireless card to make it operate in monitor mode. That procedure differs from one vendor to other. We can take the guess work out by using the airmon-ng utility from the wonderful aircrack-ng software suite. It creates a new network interface which is automatically configured to operate in monitor mode. Its compatible with most wireless cards that are shipped with the laptops these days. You can check here, whether your card is compatible or not. Once we have the wireless interface capable of capturing, we can use Wireshark to capture the packets.

So lets first install all the software that we need.

sudo apt-get install aircrack-ng wireshark libcap2-bin

By default, capturing network packets needs root privileges. To enable capture for regular users, we will have to set the capability string for the dumpcap utility. Wireshark uses dumpcap to capture packet data from a live network.

sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

Next we need to create the network interface cconfigured in monitor mode.

sudo airmon-ng start wlan0

In the above step, you should replace wlan0 with the name of your wireless network interface.

Optionally, you could also specify which wireless channel to operate in.

sudo airmon-ng start wlan0 11

In the above step 11 is the channel number.

airmon-ng will create the network interface mon0.

Now fire up wireshark and start capturing using the mon0 interface.

You could use iwconfig to change channels.

sudo iwconfig mon0 channel 6

You might notice that the channel you set using iwconfig doesn’t take effect. This might happen if you’re connected to the network using your wireless card. Network Manager will reconfigure your card to operate in same channel as the access point you are using. To stop that, stop network manager.

sudo /etc/init.d/network-manager stop

You should restart the network manager when you’re done using the sniffer.

sudo /etc/init.d/network-manager start

You can also destroy the mon0 interface you created earlier using the below command